Burnetts logo

InfoLaw Update January 2013 (Part 1)

In this article, Lawyer Aimee Taylor looks at how website operators have addressed the issue of consent and how the ICO is currently dealing with non compliance.

Cookie's update

With the introduction of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the rules in relation to cookies have completely changed from a system of "informed opt-out" to "prior, informed opt-in". In almost all cases consent is required where a cookie is to be set.

Following the entry into force of the cookies regulations, the Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period within which to comply. This grace period expired in May 2012. The ICO has recently reported the results of its encouragement to individuals to report their concerns about websites and how they dealt with cookies during this period. The figures quoted below are taken from the ICO’s report

In the period from 25 May 2012 to 21 November 2012, 550 reports were received. There were two main themes which ran throughout consumer complaints. The first was that users were largely unhappy with the implied consent mechanisms which were placed on the sites, in particular on those sites where cookies were placed immediately on entry. Secondly, people felt that they were not provided with a sufficient amount of information, in particular relating to how cookies could be declined or managed at a later date.

Of the 550 sites reported, over 50% of them (301) did not provide users with any information relating to cookies, compared to only 249 of them who did. A staggering 462 sites of the 550 surveyed did not ask for permission to place cookies, compared with only 88 that did.

In the period from 25 May 2012 and 06 September 2012, 388 concerns were received by the ICO relating to 207 websites. They carried out a visual audit of those sites and then wrote to 106 of them to ask them to take steps to ensure they were compliant with the regulations. Of those 106:

- 90 took steps to inform users of the use of cookies and obtain consent;
- 68 took limited steps to inform users of the use of cookies and obtain consent;
- 48 took no steps; and
- 1 could not be reviewed.

The Top 200

The ICO focused their attention on sites about which they had received at least one complaint which fell within the Top 200 most visited in the UK. Of those sites, which were within the jurisdiction, the ICO contacted them to seek compliance. Of those sites:

- 13 took significant steps to inform users of the use of cookies and obtain consent;
- 12 took limited steps which lead to the sites still not being compliant;
- 1 site did not take any steps; and
- 8 sites were based outside the UK.

Sites taking significant steps

The majority of sites which took significant steps, made use of a banner to gain implied consent from the site visitor. For example, the site http://www.moneysavingexpert.com uses a banner stating the following:

“We use ‘cookie’ files to help make your use of this site faster and easier. From this point, we’ll assume that you are happy to receive all cookies on MoneySavingExpert.com” along with a link to further information and how to change settings.
This is an example of a site relying on implied consent, as it assumes that the user is happy to accept their use of cookies by continuing to use the site.

Some sites contain a lot more detail on their banner, such as http://www.channel4.com which states the following:

“Like most websites Channel 4 uses cookies. In order to deliver a personalised, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information.They are used only by Channel 4 or the trusted partners we work with” along with a button to accept the terms and close the box, and a further link to information regarding how to manage the cookies.

This is an example of a positive action being required of the user rather than relying on implied consent – the user is given the option to click a button and accept the terms.

Sites that have taken limited steps

Those sites which only took limited steps gave some information regarding cookies, but in a limited way. The information was usually not phrased in a way that seeks to obtain consent or it was difficult to find.
Sites that have not taken any steps

The operator of the one site which fell into this category has been contacted by the ICO and given a deadline for compliance. If it does not comply with the deadline then formal action will be taken and it is likely that the ICO will name the site in order to inform consumers of its use of cookies.

Sites based outside the UK

For those sites operating outside of the UK, the ICO passed information to the relevant authorities  about the concerns which were submitted.

The role of the ICO going forward

The ICO has contacted 174 websites to date, and are considering 14 for further investigation. The ICO’s approach will be initially to make contact to discuss compliance with the site owners, and then require them to take the steps considered by the ICO to be necessary to remedy the failings the ICO has identified. Each time the ICO receives a complaint about a site it will continue to act in this way to protect consumers. As ever, the ICO intends to adopt a collaborative approach, working with and assisting website owners to comply with the regulations. Only if a site refuses to take steps to comply, will the ICO make use of its regulatory enforcement powers.

What does this mean for you as a website owner?

If you run a website that uses cookies, it is important that you follow the above guidance. The operators of any website which has not yet complied with the requirements of the “cookies regulations” must be able to prove to the ICO that they have taken steps towards compliance and that they have a realistic plan to achieving compliance within a particular timeframe.

The ICO advises website operators to take the following steps in particular:

- to check the types of cookies and similar technologies being used and how they are being uses. This would include analysing which cookies are strictly necessary (for example for using online purchasing software) and might not need consent;
- to assess how intrusive the site’s use of cookies is, and consider using less intrusive ones; and
- decide how best to obtain consent such as the use of pop-ups, website headers or footers and links to cookie policies.

Users must be provided with clear and relevant information and given the option to control their choices relating to cookies.

About the author

Published: Wednesday 23rd January 2013
Categorised: Information Law

All Factsheets